The security service MI5 acted unlawfully by intercepting and accessing private communications data belonging to the campaigning group Privacy International, Britain's most secret court has ruled.

Download this free guide

Infographic: 6 emerging trends in security

Download this infographic to discover 6 emerging trends in security that cybersecurity pros - and their employers - need to prep for in the next year. These ideas are taken from a keynote by analyst Peter Firstbrook at Gartner Symposium 2018.

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

MI5, admitted today (25 September 2018) that it had captured and read private communications data belonging to non-governmental organisation (NGO) Privacy International at a hearing of the Investigatory Powers Tribunal.

It emerged that the Secret Intelligence Service (SIS), or MI6, and GCHQ also unlawfully collected data on the activities of the pressure group, which has been campaigning for greater oversight of the security services.

The revelations came during a hearing today in a long-running legal challenge by Privacy International into the lawfulness of the intelligence agencies’ powers to collect bulk communications data (BCD) and bulk personal datasets (BPD) on citizens (see full details below).

Data collection was 'unlawful'

Tribunal chairman,Michael Burton, made a determination that MI5 had accessed and examined bulk communications data and bulk personal data relating to Privacy International unlawfully. GCHQ and MI6 had also collected bulk communications data and bulk personal data about Privacy International unlawfully.

Caroline Wilson Palow, general counsel for Privacy International said the ruling had implications for the UK’ surveillance regime the Investigatory Powers Act 2016.

“Not only was Privacy International caught up in the surveillance dragnet, its data was examined by agents from the UK’s domestic-facing intelligence agency, MI5. We do not know why MI5 reviewed Privacy International’s data, but the fact that it happened at all should raise serious questions for all of us,” she said.

The disclosures raised important principles over the protection of the identity of sources who confidentially provide important information to Privacy International, and other NGOs, she said.

The Investigatory Powers Tribunal heard that MI5 had discovered that it had collected and examined communications data from the pressure group following an audit of its intelligence handling arrangements.

“We do not know why MI5 reviewed Privacy International’s data, but the fact that it happened at all should raise serious questions for all of us”
Caroline Wilson Palow, general counsel for Privacy International

Communications data can include the date and times of phone calls, details of their recipients, location data from mobile phones, websites visited, and the source and destination of emails.

The data was discovered in the “workings” area of MI5’s intelligence systems and had been viewed and analysed. But it fell outside the normal safeguards for handling data, because it had not been compiled into an intelligence report, the court heard.

Representing Privacy International, Thomas De La Mare, told the court that MI5 did not have any policies on how long it could retain “working data”, or when it would be deleted - leaving open the prospect that it could be retained indefinitely.

“It suggests the way the product of these bulk databases is handled is defective," he said. "What has become apparent is the product of the use of these databases had fallen through the cracks. The handling safeguards have failed.”

Using a sofa as an analogy, De La Mare told the court:“They found a few cushions, but when they put their hand behind them they found a whole bunch of data”.

Andrew O’Connor, representing the government told the court that MI5 had identified a technical solution to manage the retention and deletion of data in the “workings area” in December 2017, but that it would take some time to implement.

“The solution that is required is not straightforward. It is not as simple as flicking a switch and deleting data. It needs to be an end-to-end process,” he said.

Following a protracted secret hearing - in closed session - O'Connor told the court that MI5 had deleted Privacy Internationals a day earlier on 24 September 2018.

De La Mare QC said that the destruction of the data "rather impedes" any potential investigation by the regulator, IPCO.

The IPT has previously ruled that the intelligence services' bulk communications data regime was unlawful until 14 October 2016 and that the regime governing bulk personal datasets remained unlawful until the ‘handling arrangements’ were made public on 4 November 2015.

Tribunal chairman,Michael Burton, made a determination at the end of a half day hearing, that the intelligence services had collected bulk communications data, and bulk personal data relating to Privacy International before those dates - and therefore acted unlawfully.

GCHQ held bulk personal data and bulk communications data on the NGO, MI5 also held bulk personal data and bulk communications data on the NGO, and the Secret Intelligence Service (MI6), held bulk personal data on the NGO before the data collection regimes became lawful, he said.

Burton also noted that during the same time period, MI5 had accessed and examined both bulk communications data and bulk personal data about Privacy International.

Privacy International demands action and explanation

Privacy International said it would press MI5 to give a full explanation of the circumstances behind its surveillance of the NGO’s data.

In a letter to the home secretary, Sajid Javid MP, Privacy International said the database searches ordered by the tribunal showed that:

All three intelligence agencies held – or, in the case of GCHQ, most likely held – data relating to Privacy International in its BPDs, while the BPD regime was unlawful.

Both GCHQ and the Security Service held data relating to Privacy International in its BCD, while the BCD regime was unlawful.

The Security Service acquired and selected for analysis data relating to Privacy International as part of one or more investigations. This data was stored indefinitely, with no period for its review and deletion.

The data was not discovered in initial searches and the circumstances of its discovery have not been explained, the NGO wrote. “It demonstrates that the agencies are unable to identify accurately and in a timely fashion what data they should hold and where they should hold it, and give a comprehensive and accurate statement to the IPT as to what is held,” it said.

The European Court found the UK government’s mass interception programme was incapable of keeping interference to individuals rights to that necessary in a democratic society, and violated the right to privacy enshrined in Article 8 of the European Convention on human rights.

“The Investigatory Powers Act does not address the court’s concerns,” it said. In particular, the government needs to strengthen the safeguards that govern how the secret intelligence agencies examine data gathered through surveillance.

Long-running legal battle exposed gaps in regulation

Privacy International started its legal action in June 2015 to challenge the UK’s use, retention, storage and deletion of databases containing highly sensitive information on the population, following revelations by Edward Snowden that the UK was engaged in mass surveillance on a huge scale.

The case centres on bulk communications data (BCD) obtained by the intelligence agencies from telephone companies and ISPs, and databases containing sensitive personal details of the population, known as bulk personal datasets (BPDs).

BPDs hold personal and biographical details about individuals – the vast majority of which are unlikely to be of intelligence interest – including records of travel, financial transactions, social media activities and communications data, which may include legally and journalistically privileged communications.

BCDs include details of websites visited, email contacts, records of email traffic, the location of mobile phones and call data. Although they do not include the content of emails or phone calls, communications data can be used to build a detailed profile of an individual.

The NGO argues that communications data can be used to build up a “deep and comprehensive” picture of a person’s private life, including what they read online, where they shop, whether they access pornography, what dating sites they use, or whether they visit sites for people with HIV, other medical conditions or seek information on abortion.

Mobile telephone data records the user’s location, which can be used to generate a detailed picture of where the person was, his or her destination, and other intimate details such as whether they have visited a doctor, lawyer or attended a religious service.

Government bodies access communications data on a large scale. In 2017, for example, more than 700,000 applications for communications data were granted to local authorities and government agencies under the Regulation of Investigatory Powers Act (Ripa).

GCHQ unlawfully collected communications data for a decade

In its first judgment following Privacy International's legal challenge the Investigatory Powers Tribunal (IPT) ruled on 17 October 2016 that Britain’s intelligence agencies had secretly and unlawfully collected the population’s phone and internet data for more than a decade.

The collection of bulk communications data had been kept secret from Parliament and the public , the tribunal found, in effect making its practice unlawful under human rights law, particularly Article 8 of the European Convention of Human Rights.

The government missed several opportunities to publicly avow bulk data collection when codes of practice were being introduced or amended.

“It seems difficult to conclude that the use of BCD was foreseeable by the public when it was not explained to Parliament,” the IPT ruled.

GCHQ had been collecting bulk communications data on the UK population since 1998, but with responsibility for oversight split between several regulators, there was no adequate oversight until the government publicly "avowed" the programme in November 2015.

The intelligence agencies began collecting or bulk personal datasets on the population in 2016. But there was no statutory oversight until March 2015 when the government avowed the existence of bulk personal datasets.

“While each of these datasets in themselves may be innocuous, intelligence value is added in the interaction between multiple datasets. One consequence of this is that intrusion into privacy can increase,” the tribunal held.

MI5 used a secret meeting to persuade judges at the UK’s top intelligence and security court not to disclose any information on sensitive databases holding highly intrusive records about the population.

Foreign secretaries gave GCHQ ‘unfettered discretion’

The Investigatory Powers Tribunal ruled in a second judgment on 23 July 2018 that successive foreign secretaries had unlawfully given GCHQ “unfettered discretion” to require internet and telephone companies to hand over bulk data about their customers.

GCHQ often made requests orally to telephone and internet companies, leaving no written records of those requests and providing regulators with no practical means to review whether the data handed over was necessary and proportionate. In practice, GCHQ had “carte blanche”.

“It was entirely understandable that in the aftermath of the 9/11 attack on New York the directions made in November 2001 should have been drafted broadly so as to allow GCHQ to vary the data it sought as intelligence requirements rapidly developed,” the tribunal ruled. But the scope of those powers should have been reviewed, it said.

The tribunal found, in the light of new evidence, that the bulk communications data regime was in breach of article 8(2) of the European Convention on Human Rights, until 14 October 2016 – 11 months longer than it had determined in its first judgment.

GCHQ slammed for misleading evidence

The tribunal's second judgment also criticised GCHQ, for providing misleading evidence over directions issued by the foreign security under Section 94 of the Telecommunications Act 1984, which required internet and telecommunications companies to give the intelligence services access to their customers communications data.

Privacy International discovered five serious errors in written evidence given by a former senior director responsible for mission policy which later had to be corrected.

The director, who gave evidence from behind a screen in an open hearing, claimed that IT contractors may have systems administrator rights during the design, build and testing phase of a project, but that once it was complete those rights were passed to members of GCHQ staff.

After the hearing, he submitted a new witness statement retracting his evidence, stating that GCHQ did grant contractors systems administrator rights to live GCHQ IT systems.

“Following a change in policy a few years ago, there are contractors within GCHQ who are administrators of operational systems. This is because much of the hardware and software from these systems is provided by industry partners, and they are therefore best placed to support those systems,” the director said.

The tribunal said GCHQ had breached its duty of disclosure and raised concerns that it may have passed similarly inaccurate information to the independent commissioners responsible for overseeing its work.

“This will have meant the commissioners were not overseeing GCHQ on a complete and accurate picture of what it was actually doing. We are satisfied that the giving of the incorrect information constituted a breach of GCHQ’s duty to make disclosure to the tribunal under s68(6) of Ripa,” it said.

Sharing of bulk data with foreign spy agencies is lawful

The tribunal ruled the UK intelligence services were able to lawfully share sensitive data on UK citizens with overseas intelligence agencies, law enforcement and industry partners, rejecting arguments by Privacy International that the practices lacked adequate oversight.

The tribunal also found that intelligence agencies’ use and collection of bulk personal data and bulk communications data complied with the European Convention.

European Court of Justice to rule lawfulness of bulk surveillance

The Investigatory Powers Tribunal asked the Court of Justice of the European Union (CJEU) to answer a series of questions over the lawfulness of the UK’s bulk communications regime, under European law, following a ruling on 8 September 2017.

The court of justice found that European Union (EU) law did not permit member states to adopt legislation that allows general and indiscriminate retention of data.

According to the European Court's ruling, an independent body must authorise any access to data, only the data of those suspected of serious crimes could be accessed, and that those who had their data accessed must be notified.

“The fact that the data is retained without the users of electronic communications services being informed of the fact is likely to cause the persons concerned to feel that their private lives are the subject of constant surveillance. Consequently, only the objective of fighting serious crime is capable of justifying such interference.” .

The question of the applicability of Watson judgment is complicated by the e-Privacy Directive (EPD) and Article 4 of the Treaty on European union (TEU), which states that national security is the sole responsibility of each member state – issues which the tribunal is waiting for the European Court of Justice to resolve.

This article was updated on 26 September 2018

Privacy International at the Investigatory Powers Tribunal

The IPT rules that the government acted unlawfully by allowing intelligence agencies to gather data on UK citizens without proper oversight from the foreign secretary, following new powers after the 2001 attacks on the World Trade Centre. The tribunal criticises GCHQ for giving materially inaccurate evidence. It updates its first judgment in the case to say GCHQ had operated illegally until 14 October 2016, rather than 4 November 2015. It holds that the government had not breached the European Convention on Human Rights by sharing intercepted communications data with law enforcement or industry partners, and that collection and retention of bulk personal data was proportionate in law.

12-13 March 2018

The IPT hears evidence that the foreign secretary had unlawfully delegated authority for obtaining bulk communications data from telecoms internet companies to GCHQ staff, following disclosure of further evidence by intelligence agencies. Privacy International questions the legality of GCHQ giving systems administrator rights to sensitive databases, and the proportionality in law of mass collection of citizens’ personal data.

Tribunal hears evidence from MI5, MI6 and GCHQ in a secret “closed” session.

1 December 2017

Privacy International asks the tribunal to reconsider its judgment in October 2016, following the disclosure of further evidence which challenges the adequacy of oversight of the intelligence agencies.

Start the conversation

0 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.